It's the latest case underscoring the hazards for anyone considering the investigation of possible flaws in websites. In 2005 network consultant Eric McCarty publicized flaws in the online application site for the University of Southern California. McCarty was prosecuted and pleaded guilty to a felony, resulting in six months of home detention. In 2008 a student at Carleton University in Ottawa, Canada, left school and faced hacking charges after he reported flaws in the school's administration system to officials.

Researchers who find flaws are not always the ideal Good Samaritans. For many security professionals, finding flaws is a method of marketing their skills. Others enjoy the challenge of finding flaws, and reporting them to the vendor is an afterthought. Yet reporting vulnerabilities helps security -- even if in the world of software applications many companies would seemingly rather not know.

Investigating issues in production Web servers is a different matter. Companies are rightly worried that a researcher with more bravado than brilliance could take down their service if an investigation into Web weaknesses goes awry. But attacking researchers with criminal complaints and legal threats only creates an environment that makes vulnerable websites the norm.

In interviews over the past five years, many researchers have indicated that if they suspect a website has a vulnerability, they will not investigate or inform the site's owner. Their advice: Just walk away.

Following his own similar case, Pascal Meunier, a professor at Purdue University, advised researchers to never report Web vulnerabilities. Instead, avoid the website and delete any evidence that points to a vulnerability. "You are not responsible for that website, it’s not your problem," Meunier wrote. "You have no reason to keep any such evidence. Go on with your life."

So far, only Google has given researchers a stated policy that investigating potential flaws is OK. Even though the search giant does place caveats on the immunity it will give researchers, other companies should follow Google's lead.